Blog

Business Security – Convince My Boss

Written By:
Published:
Content Copyright © 2006 Bloor. All Rights Reserved.

A secure infrastructure is seen by many business leaders as a
necessary cost of building their organisation. Others see it as an
irritant that indulges ‘techies’ intent on playing with
the latest information technology at great cost to the business,
and wish it would all go away.

Irrespective of the emotional response, most bosses would surely
agree that having a secure infrastructure is good for business as
it reduces system downtime and increases employee, partner and
customer confidence.

At the very least the reputational risk of having your company
name in the headlines for “Security Breaches” should
put the frighteners on many bosses.

A secure infrastructure must be integral to the business, and as
such needs to be passionately owned by the CxO leadership team. The
status of infrastructure security needs to be raised in the eyes of
the business community and as such I believe in the notion of the
Assured business—that is a business that is free to conduct
its day to day work away from the angst of having to deal with the
latest virus attack perpetrated by a teenager a continent away.

Increasing legislation brings a greater need to ensure systems
are compliant and best practice—nothing focuses the mind of
the CEO more than a possible court case involving them
personally.

In reality few, if any, organisations can confidently declare
that they are an Assured business. In practice there will be
vulnerabilities of many shapes and sizes throughout the business,
evolving each day as new threats reveal themselves. These are a
constant challenge to the Assured business.

For me a business that is not Assured is something I would call
Unassured or Transition, dependent upon where they are in the
Assured business matrix. The journey from an Unassured business to
an Assured business can be complex and expensive or can be achieved
cost effectively if security resources are planned and acquired
sensibly.

In reality organisations will never be able to achieve a
watertight infrastructure, but can get enough confidence to be able
to conduct business without having to worry that the latest piece
of rogue software will necessarily destroy them.

The precise placement of a business in the Unassured/Transition
or Assured matrix is dynamic—failing to apply the latest
software update in a timely fashion can rapidly see a business
demoted to an Unassured status. This further underpins the need to
keep policies and procedures current and under constant review.

A “snakes and ladders” approach, with expensive
investment in tactical technology ladders followed by a slip down a
malware snake, will only lead to disarray and loss of confidence in
the technical team.

Convincing the boss of the importance of doing IT security
properly is a key part of our jobs as IT professionals. It’s a big
job, but an important one.

To read more about security and the Assured business download my free
whitepaper (registration required).